<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Get overall buckets API | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'ml-get-overall-buckets.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/ml-get-overall-buckets.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/ml-get-overall-buckets.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/ml-get-overall-buckets.html" rel="nofollow" target="_blank">../en/ml-get-overall-buckets.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="rest-apis.html">REST APIs</a></span>
»
<span class="breadcrumb-link"><a href="ml-apis.html">Machine learning anomaly detection APIs</a></span>
»
<span class="breadcrumb-node">Get overall buckets API</span>
</div>
<div class="navheader">
<span class="prev">
<a href="ml-get-snapshot.html">« Get model snapshots API</a>
</span>
<span class="next">
<a href="ml-get-calendar-event.html">Get scheduled events API »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="ml-get-overall-buckets"></a>Get overall buckets API<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-overall-buckets.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>

<p>Retrieves overall bucket results that summarize the bucket results of multiple
anomaly detection jobs.</p>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-overall-buckets-request"></a>Request<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-overall-buckets.asciidoc">edit</a>
</h3>
</div></div></div>
<p><code class="literal">GET _ml/anomaly_detectors/&lt;job_id&gt;/results/overall_buckets</code><br></p>
<p><code class="literal">GET _ml/anomaly_detectors/&lt;job_id&gt;,&lt;job_id&gt;/results/overall_buckets</code><br></p>
<p><code class="literal">GET _ml/anomaly_detectors/_all/results/overall_buckets</code></p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-overall-buckets-prereqs"></a>Prerequisites<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-overall-buckets.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
If the Elasticsearch security features are enabled, you must have <code class="literal">monitor_ml</code>,
<code class="literal">monitor</code>, <code class="literal">manage_ml</code>, or <code class="literal">manage</code> cluster privileges to use this API. You also
need <code class="literal">read</code> index privilege on the index that stores the results. The
<code class="literal">machine_learning_admin</code> and <code class="literal">machine_learning_user</code> roles provide these
privileges. See <a class="xref" href="security-privileges.html" title="Security privileges">Security privileges</a> and <a class="xref" href="built-in-roles.html" title="Built-in roles">Built-in roles</a>.
</li>
</ul>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-overall-buckets-desc"></a>Description<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-overall-buckets.asciidoc">edit</a>
</h3>
</div></div></div>
<p>You can summarize the bucket results for all anomaly detection jobs by using <code class="literal">_all</code> or
by specifying <code class="literal">*</code> as the <code class="literal">&lt;job_id&gt;</code>.</p>
<p>By default, an overall bucket has a span equal to the largest bucket span of the
specified anomaly detection jobs. To override that behavior, use the optional
<code class="literal">bucket_span</code> parameter. To learn more about the concept of buckets, see
<a href="https://www.elastic.co/guide/en/machine-learning/7.7/ml-buckets.html" class="ulink" target="_top">Buckets</a>.</p>
<p>The <code class="literal">overall_score</code> is calculated by combining the scores of all the buckets
within the overall bucket span. First, the maximum <code class="literal">anomaly_score</code> per
anomaly detection job in the overall bucket is calculated. Then the <code class="literal">top_n</code> of those
scores are averaged to result in the <code class="literal">overall_score</code>. This means that you can
fine-tune the <code class="literal">overall_score</code> so that it is more or less sensitive to the number
of jobs that detect an anomaly at the same time. For example, if you set <code class="literal">top_n</code>
to <code class="literal">1</code>, the <code class="literal">overall_score</code> is the maximum bucket score in the overall bucket.
Alternatively, if you set <code class="literal">top_n</code> to the number of jobs, the <code class="literal">overall_score</code> is
high only when all jobs detect anomalies in that overall bucket.  If you set
the <code class="literal">bucket_span</code> parameter (to a value greater than its default), the
<code class="literal">overall_score</code> is the maximum <code class="literal">overall_score</code> of the overall buckets that have
a span equal to the jobs' largest bucket span.</p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-overall-buckets-path-parms"></a>Path parameters<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-overall-buckets.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">&lt;job_id&gt;</code>
</span>
</dt>
<dd>
(Required, string)
Identifier for the anomaly detection job. It can be a job identifier, a group name, a
comma-separated list of jobs or groups, or a wildcard expression.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-overall-buckets-request-body"></a>Request body<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-overall-buckets.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">allow_no_jobs</code>
</span>
</dt>
<dd>
<p>
(Optional, boolean)
Specifies what to do when the request:
</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Contains wildcard expressions and there are no jobs that match.
</li>
<li class="listitem">
Contains the <code class="literal">_all</code> string or no identifiers and there are no matches.
</li>
<li class="listitem">
Contains wildcard expressions and there are only partial matches.
</li>
</ul>
</div>
<p>The default value is <code class="literal">true</code>, which returns an empty <code class="literal">jobs</code> array
when there are no matches and the subset of results when there are partial
matches. If this parameter is <code class="literal">false</code>, the request returns a <code class="literal">404</code> status code
when there are no matches or only partial matches.</p>
</dd>
<dt>
<span class="term">
<code class="literal">bucket_span</code>
</span>
</dt>
<dd>
(Optional, string) The span of the overall buckets. Must be greater or equal to
the largest bucket span of the specified anomaly detection jobs, which is the default
value.
</dd>
<dt>
<span class="term">
<code class="literal">end</code>
</span>
</dt>
<dd>
(Optional, string) Returns overall buckets with timestamps earlier than this
time.
</dd>
<dt>
<span class="term">
<code class="literal">exclude_interim</code>
</span>
</dt>
<dd>
<p>
(Optional, boolean)
If <code class="literal">true</code>, the output excludes interim results. By default, interim results are
included.
</p>
<p>If any of the job bucket results within the overall bucket interval are interim
results, the overall bucket results are interim results.</p>
</dd>
<dt>
<span class="term">
<code class="literal">overall_score</code>
</span>
</dt>
<dd>
(Optional, double) Returns overall buckets with overall scores greater than or
equal to this value.
</dd>
<dt>
<span class="term">
<code class="literal">start</code>
</span>
</dt>
<dd>
(Optional, string) Returns overall buckets with timestamps after this time.
</dd>
<dt>
<span class="term">
<code class="literal">top_n</code>
</span>
</dt>
<dd>
(Optional, integer) The number of top anomaly detection job bucket scores to be used in
the <code class="literal">overall_score</code> calculation. The default value is <code class="literal">1</code>.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-overall-buckets-results"></a>Response body<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-overall-buckets.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The API returns an array of overall bucket objects, which have the following
properties:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">bucket_span</code>
</span>
</dt>
<dd>
(number) The length of the bucket in seconds. Matches the job with the longest <code class="literal">bucket_span</code> value.
</dd>
<dt>
<span class="term">
<code class="literal">is_interim</code>
</span>
</dt>
<dd>
(boolean)
If <code class="literal">true</code>, this is an interim result. In other words, the results are calculated
based on partial input data.
</dd>
<dt>
<span class="term">
<code class="literal">jobs</code>
</span>
</dt>
<dd>
(array) An array of objects that contain the <code class="literal">max_anomaly_score</code> per <code class="literal">job_id</code>.
</dd>
<dt>
<span class="term">
<code class="literal">overall_score</code>
</span>
</dt>
<dd>
(number) The <code class="literal">top_n</code> average of the maximum bucket <code class="literal">anomaly_score</code> per job.
</dd>
<dt>
<span class="term">
<code class="literal">result_type</code>
</span>
</dt>
<dd>
(string) Internal. This is always set to <code class="literal">overall_bucket</code>.
</dd>
<dt>
<span class="term">
<code class="literal">timestamp</code>
</span>
</dt>
<dd>
(date)
The start time of the bucket for which these results were calculated.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="ml-get-overall-buckets-example"></a>Examples<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/ml/anomaly-detection/apis/get-overall-buckets.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">GET _ml/anomaly_detectors/job-*/results/overall_buckets
{
  "overall_score": 80,
  "start": "1403532000000"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1828.console"></div>
<p>In this example, the API returns a single result that matches the specified
score and time constraints. The <code class="literal">overall_score</code> is the max job score as
<code class="literal">top_n</code> defaults to 1 when not specified:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "count": 1,
  "overall_buckets": [
    {
      "timestamp" : 1403532000000,
      "bucket_span" : 3600,
      "overall_score" : 80.0,
      "jobs" : [
        {
          "job_id" : "job-1",
          "max_anomaly_score" : 30.0
        },
        {
          "job_id" : "job-2",
          "max_anomaly_score" : 10.0
        },
        {
          "job_id" : "job-3",
          "max_anomaly_score" : 80.0
        }
      ],
      "is_interim" : false,
      "result_type" : "overall_bucket"
    }
  ]
}</pre>
</div>
<p>The next example is similar but this time <code class="literal">top_n</code> is set to <code class="literal">2</code>:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">GET _ml/anomaly_detectors/job-*/results/overall_buckets
{
  "top_n": 2,
  "overall_score": 50.0,
  "start": "1403532000000"
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1829.console"></div>
<p>Note how the <code class="literal">overall_score</code> is now the average of the top 2 job scores:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "count": 1,
  "overall_buckets": [
    {
      "timestamp" : 1403532000000,
      "bucket_span" : 3600,
      "overall_score" : 55.0,
      "jobs" : [
        {
          "job_id" : "job-1",
          "max_anomaly_score" : 30.0
        },
        {
          "job_id" : "job-2",
          "max_anomaly_score" : 10.0
        },
        {
          "job_id" : "job-3",
          "max_anomaly_score" : 80.0
        }
      ],
      "is_interim" : false,
      "result_type" : "overall_bucket"
    }
  ]
}</pre>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="ml-get-snapshot.html">« Get model snapshots API</a>
</span>
<span class="next">
<a href="ml-get-calendar-event.html">Get scheduled events API »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>